Configure temporary credential access for trusted AWS accounts

  • Release version: Zurich
  • Updated September 3, 2025
  • 3 minutes to read

    • Configure the trusting account whose resources need to be accessed, to rely on the trusted account using the Identity and Access Management (IAM) role.

    Before you begin

    • Familiarize yourself with the Amazon documentation on Creating a role to delegate permissions to an IAM user.
    • Decide which AWS account is going to be the trusted account. You use the trusted account to configure temporary credentials for Cloud Discovery using IAM roles. The trusted account that you use to access other accounts using IAM roles is referred to as an accessor account.
    • For trust chain setups, confirm that the member account trusts the management account before the management account trusts an accessor account. For more information, see Configure access for trusting AWS member accounts in trust chain.
    • Confirm that Discovery Admin Workspace is using at least version 1.10.0. The Discovery > Cloud Service Accounts navigation module isn't available with earlier versions. To access Cloud Service Accounts with an earlier version, enter in the navigation filter: cmdb_ci_cloud_service_account.list.
    Role required:
    • For Cloud Discovery: discovery_admin
    • For Cloud Provisioning and Governance: admin or sn_cmp.cloud_admin

    About this task

    During this configuration, you create an IAM role for the trusting account, and then configure the trusted service account for the trusting account at ServiceNow AI Platform. Finally, you associate the IAM role you created for the trusting account with the trusting account itself.

    Figure 1. Setting up any AWS account to rely on a trusted account with AWS credentials

    Set up the IAM role of the trusting AWS account to trust the user of the trusted AWS account for access

    Procedure

    1. Create an IAM role for the trusting account and configure the trust relationship between the user assuming this role and the trusted (accessor) account.
      1. Log in to the trusting account on the AWS Management Console.
      2. Create and configure the IAM role specifying the trusted (accessor) account ID in the Account ID field.
        For information on creating AWS roles, see the Amazon documentation.
      3. On the Summary page for the IAM role, select the Trust Relationships tab.
      4. Select Edit trust relationship.
        The Edit Trust Relationship page opens showing the policy document.
      5. Set the AWS parameter to the full user ARN of the trusted (accessor) account.

        Editing trust relationship for the trusting account.
      6. Verify that the Action value is set to sts:AssumeRole.
      7. Select Update Trust Policy.
    2. On the ServiceNow AI Platform, configure the trusted service account.
      1. Navigate to All > Discovery > Cloud Service Accounts.
      2. Selelct New.
      3. On the form, fill in the fields.
      4. Select Submit.
    3. On the ServiceNow AI Platform, configure the trusting service account.
      1. Navigate to All > Discovery > Cloud Service Accounts.
      2. Select New.
      3. In the Accessor account field, enter the name of the trusted account.
      4. On the form, fill in the remaining fields.
      5. Select Submit.
    4. On the ServiceNow AI Platform, assign the AWS IAM role to the trusting account, using the relevant form, based on the relationship to the trusted account.
      Trusted account typeSteps
      Management account
      1. Navigate to All > Cloud Provisioning and Governance > Organization Access Parameters > AWS Org Assume Role Parameters.
      2. Select New.
      3. On the form, configure only the following fields for the trusting member account:
        Table 1. Cloud Service Account AWS Org Assume Role Params form
        Field Definition
        Access role name Name of the IAM role created for the trusting account.
        • If IAM roles are the same across all member accounts: Enter the full ARN using an asterisk (*) as a wildcard for the account ID in the format: arn:aws:iam::*:role/MemberRoleName.

          For example: arn:aws:iam::*:role/SN_MEMBER_ACCOUNT_ROLE.

        • If IAM roles are different across member accounts: Enter the full ARN of the specific IAM role for each member account in a separate entry.
        Cloud service account Name of the trusting account for which you are providing access using the IAM role.
        • If IAM roles are the same across all member accounts: Enter the management account name.
        • If IAM roles are different across member accounts: Enter each member account in a separate entry.
      4. Select Submit.
      Member or discrete account
      1. Navigate to All > Cloud Provisioning and Governance > Organization Access Parameters > AWS Cross Assume Role Parameters.
      2. Select New.
      3. On the form, configure only the following fields for the trusting account:
        Table 2. Cloud Service Account AWS Cross Assume Role Params form
        Field Description
        Access role name Name of the IAM role created for the trusting account.
        Cloud service account Name of the trusting account for which you are providing access using the IAM role.
      4. Select Submit.

    What to do next

    Verify that ServiceNow applications can access the trusting service account using the IAM role:
    1. Navigate to All > Discovery > Cloud Service Accounts.
    2. Select the trusting AWS service account.
    3. Under Related Links, select Create Discovery Schedule.
    4. In the Discovery Manager Cloud Discovery page, select Test Account.
      • If the connection is successful, a message displays indicating the account validation is successful.
      • If the connection isn't successful, an error message displays indicating the cause of failure.